Private Information

Raw data, which may include non-obvious potentially private information, must be transferred securely.

Raw data must be stored securely and access to the data must be strictly controlled. To access the raw data stored on an Eclipse Foundation Server, an individual must be a committer. An individual must sign a non-disclosure agreement (NDA) with The Eclipse Foundation to get access to raw data that may include personally-identifiable information.

Obvious means of identifying a specific individual or organization (e.g. IP address) must not be persisted. Server logs that are accessible only by Eclipse Foundation Webmasters are exempt.

Reasonable effort must be taken to avoid persisting or disseminating information that can inadvertently be used to identify an individual or organization.

Dissemination

Information that may be used to identify individuals or organizations must not be made publicly available.

The retention policy for publicly accessible data must be documented.

Auditing and Approval

Documentation, including a full description of the nature of all information captured by a call-home service, must be publicly accessible.

When it is clear from context that information will be sent and/or received, user initiated operations--for example, a user-initiated build that downloads artifacts from Maven central, or a user-initiated file transfer that sends a file to a remote server via SFTP--are acceptable without formal approval.

Operations that fetch data only (i.e. no data is sent from the user's workstation) from Eclipse Foundation servers--for example, pulling items from a news feed--are acceptable without formal approval. PMC approval is required for a project to implement an operation that fetches data from a third-party source.

Operations that upload data--for example, a list of all currently installed bundles and/or JVM version, or usage patterns--require PMC and EMO(ED) approval. The default configuration must target Eclipse Foundation-managed servers only for uploads. Exceptions to this rule can only be granted by the EMO(ED). Projects can (and should) implement extensible frameworks that permit adopters to upload data to different targets.

Opt-in

Any operation that uploads data must be "opt-in". That is, the user/adopter must agree to participate (agreement may be implicit due to the nature of the service).

If the nature of the data being collected changes, the user/adopter must be informed of the changes and be given the opportunity to explicitly agree to continue participation.

Services that get/pull data only do not require "opt-in". The server components for these services must not attempt to persist any information related to a get/pull data service (server logs, with access restricted to Eclipse Foundation staff only, are exempted from this requirement).

Common Mechanism

Reasonable effort must be undertaken to leverage existing mechanisms rather than create new ones.